A vulnerability in an ActiveX control shipped with Microsoft's Outlook 98, Outlook 2000 or Outlook 2002 e-mail software could let an attacker run malicious code on a victim's computer via either a Web page or HTML e-mail.
The defect lies in the Microsoft Outlook View Control, an ActiveX control that allows Outlook mail folders to be viewed via Web pages, according to Microsoft. The company alerted Technical Account Managers who are part of its world-wide support network to encourage users to apply administrative measures outlined in an updated advisory the company released this morning.
Normally, the control should only allow users to passively view mail or calendar data. But the vulnerability could expose a function that allows Web pages to actively manipulate Outlook data, thus allowing attackers to delete mail, change calendar information or run destructive code on a victim's computer via Outlook, the advisory said.
There are two ways in which users can expose themselves to the vulnerability, said Scott Culp, a program manager at Microsoft's security team.
One is by simply visiting a malicious Web page; the other is by opening up malicious HTML e-mail, Culp said.
"It is not needed for users to open or click on attachments" for the control to be invoked, said Georgi Guninski, the Bulgarian bug-hunter who first reported the problem to Microsoft on July 9. Users can trigger the malicious code simply by visiting a Web page or by previewing Outlook e-mail messages, he said in an e-mail to Computerworld.
"It is extremely easy to find the vulnerability. ... I found it very quickly after I installed Office XP," Guninski said. "And if Outlook 98 is affected, as Microsoft states in their advisory, this means it has been around for years."
Guninski has been responsible for discovering dozens of similar bugs in Microsoft products. However, his decision to publish details of the latest vulnerability and how to exploit it, before Microsoft has had a chance to fix the problem, was irresponsible, Culp said.
"As a direct result of Mr. Guninski's actions, customers are exposed to a far greater risk than they would have been" if he had simply given Microsoft a chance to respond, Culp said.
As it is, Microsoft's advisory just warns users of the problem and advises them how to work around it by temporarily disabling ActiveX controls in the IE Internet Zone. Customers need to also ensure that they have installed the Outlook E-mail Security Update that Microsoft has made available, Culp said. The Update causes HTML e-mails to be opened in a restricted zone where ActiveX controls are disabled by default.
Culp claimed Microsoft is working on a patch to fix the problem, but it didn't give any estimates on when it would be available.
"Because Mr. Guninski chose to publicize this in such an irresponsible manner, customers are going to be forced to touch their systems twice" to fix the problem, he said. The first time will be to implement the work-around and the second time to install the patch, Culp explained.
